This is by no means enough to take the exam, but these were helpful points of reference that I used to review.
The 3 most important tips, outside of reviewing the white papers and re:Invent videos:
- try out every lab you can on ACloudGuru / LinuxAcademy, especially related to using CloudWatch and to using KMS
- have a strong sense of how the following work together:
- Lambda with everything
- CloudFront, ELB (all 3 types), AWS WAF
- CloudTrail, CloudWatch logs, S3, Athena
- Macie with S3
- have a good sense of the different use cases for the following:
- GuardDuty
- Inspector (especially what you can and can’t choose, and how to troubleshoot)
- Config (especially types of config rules)
- Trusted Advisor (know its limitations)
I cannot stress the importance of trying these tools out, going through labs, and stubbing your toe. Even if you have experience with some of them, you need exposure to all in order to pass. People who just try to cram for this routinely fail, it was designed to beat them. Besides, learning from labs is much more efficient than cramming, and you get immediate feedback if you make a mistake.
- AWS CloudTrail FAQ x 3
- CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services.
- It is recommended to use a dedicated S3 bucket for CloudTrail logs.
- CloudTrail can also send logs to CloudWatch Logs, which can then trigger CloudWatch Events
- Within an AWS Organization, you can create one CloudTrail to cover all accounts.
- Management and Data events are handled by separate CloudTrails.
- Data Events: operations on or within a resource - Often high-volume - Disabled by default - You must explicitly add the supported resources or resource types for which you want to collect activity to a trail.
- Management Events: Configuration or security changes
- You should log the events to separate buckets, then configure access to the CloudTrail and read only access to the S3 bucket using an IAM policy attached to the user or group.
- When you apply a trail to all regions, CloudTrail uses the trail that you create in a particular region to create trails with identical configurations in all other regions in your account.
- To determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it, you can use CloudTrail log file integrity validation.
- KMS FAQ x 2
- Imported key material
- Automatic key rotation is not available for CMKs that have imported key material, you will need to do this manually.
- Customer managed keys
- A customer managed CMK supports automatic key rotation once per year.
- Creating and managing your own CMK gives you more flexibility, including the ability to create, rotate, disable, and define access controls, and to audit the encryption keys used to protect your data.
- AWS managed keys
- AWS managed keys automatically rotate once every three years.
- AWS Config FAQ x 2
- You can send notifications or take automated action with Lambda when a resource violates a rule.
- Inspector FAQ x 2
- The runtime behavior package checks for insecure protocols like Telnet, FTP, HTTP, IMAP, rlogin etc.
- Neither the AWS Config restricted-common-ports check or Trusted Advisor will give you this information.
- CloudWatch FAQ x 2
- You can use Amazon CloudWatch Logs to monitor, store, and access your log files from EC2 instances, AWS CloudTrail, Route 53, and other sources.
- CloudWatch alone lacks the business rules that are provided with GuardDuty to create an event whenever malicious or unauthorized behavior is observed.
- GuardDuty can trigger CloudWatch Events which can then be used for a variety of activities like notifications or automatically responding to a threat.
- If an anomaly is detect, CloudWatch Event can trigger a Lambda.
- You can use Amazon CloudWatch Logs to monitor, store, and access your log files from EC2 instances, AWS CloudTrail, Route 53, and other sources.
- You can then retrieve the associated log data from CloudWatch Logs.
- You can use CloudWatch Events to schedule automated actions that self-trigger at certain times using cron or rate expressions.
- You can configure Amazon Inspector as a target for CloudWatch Events.
- Lambda FAQ x 2
- For Lambda to send logs to CloudWatch, the function execution role needs to permission to write to CloudWatch.
- For Lambda to make API calls to DynamoDB, the function execution role needs many permissions to interact with DynamoDB.
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:GetItem",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem"
],
"Resource": "arn:aws:dynamodb:eu-west-1:123456789012:table/SampleTable"
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:eu-west-1:123456789012:*"
},
{
"Effect": "Allow",
"Action": "logs:CreateLogGroup",
"Resource": "*"
}
]
}
- Checks Security Groups for rules that allow unrestricted access (0.0.0.0/0) to specific ports such as SSH.
- AWS Config can alert you to any modifications to a Security Group but out of the box, it will not perform a check for unrestricted access.
- Ports flagged green are typically used by applications that require unrestricted access, such as HTTP and SMTP.
- Other core best practice checks:
- S3 Bucket Permissions
- IAM Use
- MFA on Root Account
- EBS Public Snapshots
- RDS Public Snapshots
- VPC Flow Logs enables you to capture information about the IP traffic going to and from network interfaces in your VPC.
- Flow log data can be published to Amazon CloudWatch Logs and Amazon S3.
- Flow logs can help you with a number of tasks:
- Diagnosing overly restrictive security group rules
- Monitoring the traffic that is reaching your instance
- Determining the direction of the traffic to and from the network interfaces
- Aiding in investigating suspicius traffic
- The default DHCP option set specifies AmazonProvidedDNS but you can provide the IP address of up to 4 of your own DNS servers.
- You cannot update the existing option set, you must delete it and create a new one.
- Security groups are stateful, if you have allowed the inbound traffic you do not need to create a rule to allow the outbound reply.
- By default an SG allows any outbound traffic so you don't need to add an outbound rule to a server in a public subnet.
- With AWS Direct Connect plus VPN, you can combine one or more AWS Direct Connect dedicated network connections with the Amazon VPC VPN.
- This combination provides an IPsec-encrypted private connection that also reduces network costs, increases bandwidth throughput, and provides a more consistent network experience than internet-based VPN connections.
- GuardDuty FAQ
- It is a managed service that can watch CloudTrail, VPC Flow Logs and DNS Logs, watching for malicious activity.
- It can detect instances exhibiting signs of compromise, such as:
- Attempting to communicate with a command and control server.
- Behaving as a spam bot with email traffic over port 25.
- Sending requests that look like it is part of a DoS attack
- GuardDuty Backdoor
- It has a build-in list of suspect IP addresses and you can also upload your own lists of IPs.
- GuardDuty can trigger CloudWatch Events which can then be used for a variety of activities like notifications or automatically responding to a threat
- Services that support parameter store:
- Amazon EC2
- Amazon ECS
- AWS Lambda
- If a service does not directly support it (e.g., RDS), just use Lambda in association with the service
- AWS CloudFormation
- AWS CodeBuild
- AWS CodeDeploy
- Configure integration with the following AWS services for encryption, notification, monitoring, and auditing:
- Amazon SNS
- Amazon CloudWatch
- AWS CloudTrail
- AWS KMS
- An instance role needs permission both to read an SSM parameter and to use KMS to decrypt it.
- Parameter Store uses KMS customer master keys to encrypt the parameter values when you create or change them.
- Parameter Store supports only symmetric CMKs. You cannot use asymmetric CMKs to encrypt your parameters.
- The default predefined patch baseline for Windows servers in Patch Manager is
AWS-DefaultPatchBaseline.
- Supports encryption only for Redis 3.2.6, 4.0.10 and later, not Memcached.
- If you suspect that your account is compromised, do the following:
- Change your AWS account root user password.
- Rotate and delete all root and AWS Identity and Access Management (IAM) access keys.
- Delete any potentially compromised IAM users, and change the password for all other IAM users.
- Delete any resources on your account you didn't create, such as EC2 instances and AMIs, EBS volumes and snapshots, and IAM users.
- Respond to any notifications you received from AWS Support through the AWS Support Center.
- The AWS service receives the request
- AWS first authenticates the principal.
- Except for services such as S3 that allow anonymous access).
- Next, AWS determines which policy to apply to the request.
- Actions (or operations) – The actions or operations that the principal wants to perform.
- Resources – The AWS resource object upon which the actions or operations are performed.
- Principal – The user, role, federated user, or application that sent the request. Information about the principal includes the policies that are associated with that principal.
- Environment data – Information about the IP address, user agent, SSL enabled status, or the time of day.
- Resource data – Data related to the resource that is being requested. This can include information such as a DynamoDB table name or a tag on an Amazon EC2 instance.
- Then, AWS evaluates the policy types and arranges an order of evaluation.
- Identity-based policies
- Resource-based policies
- IAM permissions boundaries
- AWS Organizations service control policies (SCPs)
- Session policies (e.g. for federated user sessions)
- Finally, AWS then processes the policies against the request context to determine if it is allowed.
- Corporate user accesses the corporate Active Directory Federation Services portal sign-in page and provides Active Directory authentication credentials.
- AD FS authenticates the user against Active Directory.
- Active Directory returns the user’s information, including AD group membership information.
- AD FS dynamically builds ARNs by using Active Directory group memberships for the IAM roles and user attributes for the AWS account IDs, and sends a signed assertion to the users browser with a redirect to post the assertion to AWS STS.
- Temporary credentials are returned using STS AssumeRoleWithSAML.
- The user is authenticated and provided access to the AWS management console.
- If you connect to your instance using SSH and get any of the following errors, "Host key not found in
[directory]", "Permission denied (publickey)", or "Authentication failed, permission denied", verify that you are connecting with the appropriate user name for your AMI and that you have specified the proper private key (.pem) file for your instance. - If you lose the private key for an EBS-backed instance, you can regain access to your instance. You must:
- stop the instance,
- detach its root volume and attach it to another instance as a data volume,
- modify the
authorized_keysfile, - move the volume back to the original instance, and
- restart the instance.
- AWS GuardDuty is not an IDS. While it does perform threat detection based on logs, it does not detect intrusion.
- AWS Shield is not an IPS. It mitigates DDoS attacks, but it does not prevent intrusion.
- AWS acknowledge that they do not provide IPS/IDS.
- Instead they suggest that third-party software can be used to provide additional functionality such as deep packet inspection, IPS/IDS, or network threat protection.
- Search for IPS on AWS Marketplace and you will find a range of suitable products!